Trust, not escalation, should be the United States’ cyberspace policy
The recent commemoration of the end of World War I, marked in capitals around the world, should give us pause to reflect on conflicts to come. The 21st century will see new arenas for conflict, and with them new rules of engagement and acceptable behavior in time of war. The internet will almost certainly be one of these new battlefields — but the challenge for many national leaders is not so much unrestricted digital warfare as the daily avalanche of cyberattacks that fall short of war. These cyberattacks threaten energy grids, hospitals, vaccine researchers, company secrets and all the digital underpinnings of modern life. How these threats can be managed is a significant problem when digital attackers can be nearly anonymous, even if they are states or state-backed actors.
In an early recognition of this problematic reality, French President Emmanuel Macron launched the Paris Call for Trust and Security in Cyberspace on Nov. 12, 2018. The call sets out simple principles for states that want a more stable and secure online world, including that they work with the companies and organizations that built and now operate the internet.
It is a first-of-a-kind multi-stakeholder, multi-lateral attempt to ensure peace and security in cyberspace.
The Cybersecurity Tech Accord has been a vocal supporter of the Paris Call ever since its launch. We believe that it creates the best kind of multi-stakeholder coalition: one that can realistically respond to the challenges of escalating conflict in cyberspace by bringing together governments, tech companies and civil society.
Today 79 governments have signed up to the Paris Call, among them key American allies such as Australia, Canada, Japan and the UK, alongside public and civil society organizations from around the world, including American cities and states from Louisville, Ky., to the Commonwealth of Virginia. There are those, however, who are not currently on board with the Paris Call. They include Iran, the Russian Federation, the People’s Republic of China — and the United States of America.
There is a genuine and respectable rationale that has brought the U.S. to this place. The current administration has been reluctant to limit its options when it comes to cyber warfare. It has also been unwilling to tie America’s hands if rivals are not doing so as well. Certainly cyberattacks are going to be a key component of future war planning and, when push comes to shove, war fighting. Ruling them out entirely makes little sense, but this is not what the Paris Call does.
Within the nine principles set out in 2018 the U.S. could commit to avoiding significant, indiscriminate or systemic harm to critical digital infrastructure ahead of war without limiting itself once war breaks out. Certainly nations such as France and the United Kingdom, who have fought alongside the U.S. in the recent past, find no contradiction between their future military needs and preserving the internet from proliferating cyber weapons and escalating cyberattacks.
The reason the American position matters is that establishing norms of acceptable behavior in conflicts requires the participation and leadership of the most powerful states of the age.
The internet is a great global mass of connectivity and communication. It is inherently multi-lateral and multi-stakeholder. Everybody has some sort of stake in it, and everybody needs to commit to protecting it.
The absence of the U.S. from that protective process fundamentally undermines it and, even worse, creates the space for some states to promote their vision of an internet that is more hostile to the freedoms of the Western world.
The U.S. is not just any country. When it comes to securing the survival of the internet and the digital technologies that so many of us now depend on due to COVID, we need American leadership and American participation.
Annalaura Gallo is Head of Secretariat for the Cybersecurity Tech Accord (@cybertechaccord), a collaboration among 147 global companies to improve the security, stability and resilience of cyberspace.